qemu/virtio-net-Avoid-indirection_table_mask-overflow.patch

From cc875acdbf0ab210ce467f27c621fe7dc2159110 Mon Sep 17 00:00:00 2001
From: zhangchujun <zhangchujun@cmss.chinamobile.com>
Date: Wed, 30 Oct 2024 10:57:05 +0800
Subject: [PATCH] virtio-net: Avoid indirection_table_mask overflow

We computes indirections_len by adding 1 to indirection_table_mask, but
it may overflow indirection_table_mask is UINT16_MAX. Check if
indirection_table_mask is small enough before adding 1.

Fixes: 5907902 ("virtio-net: implement RSS configuration command")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: zhangchujun <zhangchujun_yewu@cmss.chinamobile.com>
---
 hw/net/virtio-net.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 432c433540..d5008b65ec 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1400,17 +1400,17 @@ static uint16_t virtio_net_handle_rss(VirtIONet *n,
     n->rss_data.hash_types = virtio_ldl_p(vdev, &cfg.hash_types);
     n->rss_data.indirections_len =
         virtio_lduw_p(vdev, &cfg.indirection_table_mask);
-    n->rss_data.indirections_len++;
     if (!do_rss) {
-        n->rss_data.indirections_len = 1;
+        n->rss_data.indirections_len = 0;
     }
-    if (!is_power_of_2(n->rss_data.indirections_len)) {
-        err_msg = "Invalid size of indirection table";
+    if (n->rss_data.indirections_len >= VIRTIO_NET_RSS_MAX_TABLE_LEN) {
+        err_msg = "Too large indirection table";
         err_value = n->rss_data.indirections_len;
         goto error;
     }
-    if (n->rss_data.indirections_len > VIRTIO_NET_RSS_MAX_TABLE_LEN) {
-        err_msg = "Too large indirection table";
+    n->rss_data.indirections_len++;
+    if (!is_power_of_2(n->rss_data.indirections_len)) {
+        err_msg = "Invalid size of indirection table";
         err_value = n->rss_data.indirections_len;
         goto error;
     }
-- 
2.41.0.windows.1
QEMU update to version 8.2.0-24: - ppc/xive: Fix ESB length overflow on 32-bit hosts - target/hppa: Fix PSW V-bit packaging in cpu_hppa_get for hppa64 - target/ppc: Fix migration of CPUs with TLB_EMB TLB type - target/arm: Clear high SVE elements in handle_vec_simd_wshli - module: Prevent crash by resetting local_err in module_load_qom_all() - tests/docker: update debian i686 and mipsel images to bookworm - target/arm: Fix SVE SDOT/UDOT/USDOT (4-way, indexed) - docs/sphinx/depfile.py: Handle env.doc2path() returning a Path not a str - block/blkio: use FUA flag on write zeroes only if supported - virtio-pci: Fix the use of an uninitialized irqfd - hw/cxl: Ensure there is enough data to read the input header in cmd_get_physical_port_state() - intel_iommu: Send IQE event when setting reserved bit in IQT_TAIL - virtio-net: Avoid indirection_table_mask overflow - Fix calculation of minimum in colo_compare_tcp - target/riscv/csr.c: Fix an access to VXSAT - linux-user: Clean up unused header - raw-format: Fix error message for invalid offset/size - hw/loongarch/virt: Remove unnecessary 'cpu.h' inclusion - tests: Wait for migration completion on destination QEMU to avoid failures - acpi: ged: Add macro for acpi sleep control register - hw/intc/openpic: Improve errors for out of bounds property values - hw/pci-bridge: Add a Kconfig switch for the normal PCI bridge - docs/tools/qemu-img.rst: fix typo (sumarizes) - audio/pw: Report more accurate error when connecting to PipeWire fails - audio/pw: Report more accurate error when connecting to PipeWire fails - dma: Fix function names in documentation Ensure the function names match. - edu: fix DMA range upper bound check - platform-bus: fix refcount leak - hw/net/can/sja1000: fix bug for single acceptance filter and standard frame - tests/avocado: fix typo in replay_linux - util/userfaultfd: Remove unused uffd_poll_events - Consider discard option when writing zeros - crypto: factor out conversion of QAPI to gcrypt constants - crypto: drop gnutls debug logging support - crypto: use consistent error reporting pattern for unsupported cipher modes - hw/gpio/aspeed_gpio: Avoid shift into sign bit Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit b6e04df301d30895427ab41a1edff0f40149bdd9) 2024-11-30 08:36:49 +08:00			`From cc875acdbf0ab210ce467f27c621fe7dc2159110 Mon Sep 17 00:00:00 2001`
			`From: zhangchujun <zhangchujun@cmss.chinamobile.com>`
			`Date: Wed, 30 Oct 2024 10:57:05 +0800`
			`Subject: [PATCH] virtio-net: Avoid indirection_table_mask overflow`

			`We computes indirections_len by adding 1 to indirection_table_mask, but`
			`it may overflow indirection_table_mask is UINT16_MAX. Check if`
			`indirection_table_mask is small enough before adding 1.`

			`Fixes: 5907902 ("virtio-net: implement RSS configuration command")`
			`Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>`
			`Signed-off-by: Jason Wang <jasowang@redhat.com>`
			`Signed-off-by: zhangchujun <zhangchujun_yewu@cmss.chinamobile.com>`
			`---`
			`hw/net/virtio-net.c \| 12 ++++++------`
			`1 file changed, 6 insertions(+), 6 deletions(-)`

			`diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c`
			`index 432c433540..d5008b65ec 100644`
			`--- a/hw/net/virtio-net.c`
			`+++ b/hw/net/virtio-net.c`
			`@@ -1400,17 +1400,17 @@ static uint16_t virtio_net_handle_rss(VirtIONet *n,`
			`n->rss_data.hash_types = virtio_ldl_p(vdev, &cfg.hash_types);`
			`n->rss_data.indirections_len =`
			`virtio_lduw_p(vdev, &cfg.indirection_table_mask);`
			`- n->rss_data.indirections_len++;`
			`if (!do_rss) {`
			`- n->rss_data.indirections_len = 1;`
			`+ n->rss_data.indirections_len = 0;`
			`}`
			`- if (!is_power_of_2(n->rss_data.indirections_len)) {`
			`- err_msg = "Invalid size of indirection table";`
			`+ if (n->rss_data.indirections_len >= VIRTIO_NET_RSS_MAX_TABLE_LEN) {`
			`+ err_msg = "Too large indirection table";`
			`err_value = n->rss_data.indirections_len;`
			`goto error;`
			`}`
			`- if (n->rss_data.indirections_len > VIRTIO_NET_RSS_MAX_TABLE_LEN) {`
			`- err_msg = "Too large indirection table";`
			`+ n->rss_data.indirections_len++;`
			`+ if (!is_power_of_2(n->rss_data.indirections_len)) {`
			`+ err_msg = "Invalid size of indirection table";`
			`err_value = n->rss_data.indirections_len;`
			`goto error;`
			`}`
			`--`
			`2.41.0.windows.1`